Christopher Roberts
2015-Jun-29 16:51 UTC
[Samba] Samba 4.2.2 AD Server - Winbind CPU 100% Password Expired
I installed a new Linux server for remote user access using Ubuntu 14.04 and x2goserver, authenticating against our existing Samba 4.2.2 AD server. All was working beautifully for a couple of days, with myself and one other user. Then the other user's AD password expired, after which when they attempted to log in winbindd spiralled out of control. Ended up with several 100% CPU winbindd processes and the server almost completely unresponsive. Errors in logs stating "Exceeding 200 client connections". Auth.log indicated an authorisation failure. I changed the max connections from 200 to 50, in the hope that at least the server would remain responsive (which worked). Stopping Winbind and killing the hung processes cleared the problem, until they tried again, when the problem repeated itself. Even a simple SSH login triggered the problem, so this would not appear to be anything to do with x2go. It turned out to be a simple password expiry. Logging onto a Windows client prompted for the password change and all was well, but a single user's password expiring shouldn't really hang the server. It is quite possible that I have misconfigured the Linux Samba, Pam, SSH, Kerberos etc configuration on this x2goserver, as finding an up-to-date howto proved difficult. For example: https://wiki.samba.org/index.php/Configuring_a_Linux_client_for_AD I seemed to recall that you shouldn't use likewise open or its successor, and in the end I did something along these lines: http://ubuntuforums.org/showthread.php?t=91510 If anyone has any suggestions for configuring the linux client to cope with password expiry, I would appreciate it. Thanks, Chris.
Rowland Penny
2015-Jun-29 17:09 UTC
[Samba] Samba 4.2.2 AD Server - Winbind CPU 100% Password Expired
On 29/06/15 17:51, Christopher Roberts wrote:> I installed a new Linux server for remote user access using Ubuntu 14.04 and > x2goserver, authenticating against our existing Samba 4.2.2 AD server. > > All was working beautifully for a couple of days, with myself and one other > user. Then the other user's AD password expired, after which when they > attempted to log in winbindd spiralled out of control. Ended up with several > 100% CPU winbindd processes and the server almost completely unresponsive. > > Errors in logs stating "Exceeding 200 client connections". Auth.log > indicated an authorisation failure. > > I changed the max connections from 200 to 50, in the hope that at least the > server would remain responsive (which worked). Stopping Winbind and killing > the hung processes cleared the problem, until they tried again, when the > problem repeated itself. > > Even a simple SSH login triggered the problem, so this would not appear to > be anything to do with x2go. > > It turned out to be a simple password expiry. Logging onto a Windows client > prompted for the password change and all was well, but a single user's > password expiring shouldn't really hang the server. > > It is quite possible that I have misconfigured the Linux Samba, Pam, SSH, > Kerberos etc configuration on this x2goserver, as finding an up-to-date > howto proved difficult. For example: > > https://wiki.samba.org/index.php/Configuring_a_Linux_client_for_AD > > I seemed to recall that you shouldn't use likewise open or its successor, > and in the end I did something along these lines: > > http://ubuntuforums.org/showthread.php?t=91510 > > If anyone has any suggestions for configuring the linux client to cope with > password expiry, I would appreciate it. > > Thanks, > > Chris. >OK, What you have to remember/realise is a samba AD client is not much different from a samba member server, it doesn't serve (unless you want it to) files but you should set it up in the same way, have a look here: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Rowland